Phishing Campaign Exploits Google Storage to Deploy Remcos RAT

Severity: High (Score: 69.0)

Sources: Reddit, Gbhackers, Cybersecuritynews

Summary

A multi-stage phishing campaign has been identified that utilizes Google Cloud Storage to deliver the Remcos remote access trojan (RAT). The attackers exploit the trust associated with Google's infrastructure, making detection challenging for security tools. Victims are lured to a fake Google Drive login page that collects credentials and one-time passwords (OTPs). Upon a successful login, victims are prompted to download a malicious JavaScript file, which initiates a complex delivery chain leading to the deployment of Remcos. The attack leverages legitimate signed binaries to evade detection, emphasizing the need for behavioral analysis over reputation-based detection. The phishing URLs are hosted on Google’s infrastructure, complicating mitigation efforts. Credential exfiltration is directed to specific domains, furthering the attackers' objectives. The campaign poses a significant risk to users globally, as it targets unsuspecting individuals across various sectors. Key Points: • Attackers exploit Google Cloud Storage to deliver Remcos RAT via phishing. • Victims are tricked into entering credentials on a fake Google Drive login page. • Detection is complicated due to the use of legitimate signed binaries and trusted hosting.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• storage.googleapis.com (domain)
• Remcos (malware)
• T1055.012 - Process Hollowing (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1547 - Boot Or Logon Autostart Execution (mitre_attack)
• Google Cloud Storage (platform)
• Google Drive (tool)
• RegSvcs.exe (tool)